blob: ac509b63c7932e1585fc949ac5256a604e5fce86 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
From 0d809c0979ced9db4d0e500b3e812bba95e52972 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Mon, 28 Sep 2020 20:08:29 +0200
Subject: [PATCH] efi: Lockdown the GRUB when the UEFI Secure Boot is enabled
If the UEFI Secure Boot is enabled then the GRUB must be locked down
to prevent executing code that can potentially be used to subvert its
verification mechanisms.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=98b00a403cbf2ba6833d1ac0499871b27a08eb77]
CVE: CVE-2020-14372
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
---
grub-core/kern/efi/init.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
index 3dfdf2d..db84d82 100644
--- a/grub-core/kern/efi/init.c
+++ b/grub-core/kern/efi/init.c
@@ -20,6 +20,7 @@
#include <grub/efi/efi.h>
#include <grub/efi/console.h>
#include <grub/efi/disk.h>
+#include <grub/lockdown.h>
#include <grub/term.h>
#include <grub/misc.h>
#include <grub/env.h>
@@ -39,6 +40,20 @@ grub_efi_init (void)
/* Initialize the memory management system. */
grub_efi_mm_init ();
+ /*
+ * Lockdown the GRUB and register the shim_lock verifier
+ * if the UEFI Secure Boot is enabled.
+ */
+ if (grub_efi_secure_boot ())
+ {
+ grub_lockdown ();
+ /* NOTE: Our version does not have the shim_lock_verifier,
+ * need to update below if added */
+#if 0
+ grub_shim_lock_verifier_setup ();
+#endif
+ }
+
efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer,
0, 0, 0, NULL);
|
